For those who don't know, LittleSnitch is a great application that lets you block outgoing network connections. It's very useful to stop apps (such as trojan horses) from "calling home." The problem is I often log into home via ssh, and want to use stuff like curl, for which I do not want to define a specific rule and would rather have LittleSnitch ask me every time.

Say I want to install something remotely using Fink; I can't, because there's no way to tell LittleSnitch to let curl connect to the mirror. So I came up with a little AppleScript UI script to fix this...

Here's the code:

tell application "System Events"
tell process "KUC"
tell window "Little Snitch"
-- The few lines below are not mandatory
-- It allows to set "Allow Any network connection" (default is "Allow Same port")
click pop up button of group 1
delay 1
keystroke "a"
keystroke return
-- End of the non mandatory section
click button "Allow Until Quit"
end tell
end tell
end tell

Save the script, and then you can use something like this to allow the exception:

$ curl apple.com | osascript ~/Documents/Allow_Snitch.scpt

This method won't work for everything, though. Like with Fink, which triggers curl only a bit after you run the command, in which case you will need to have two ssh connections opened and guesstimate the appropriate time at which to run the script. It's definitely not a CLI tool for LittleSnitch, but it will do the job most of the time.

Note that I am nowhere near an AppleScript expert. I also believe this could be made better by triggering the AppleScript from a shell script, thus allowing for a few more options. Last but not least, a bit of warning about this: OBDev (the makers of Little Snitch) don't want to make a CLI tool for it, as it could be a security risk. This is probably true and also applies to this script, but that's fine by me.

Which is why it would be better to use the built-in firewall and use the priviledge separation it provides, learning about that would take too much work. People use Little Snitch because it's "easy" and they don't understand that OS X already provides the same functionality.

Little Snitch is insecure were it to have a CLI because it runs as the user that is logged in and thus, requires no password to make configuration changes. If it ran as the priviledged user or another user, then you'd have to use sudo to change anything via the CLI.

Of course, in the "real world" you'd never be running your filewall from your workstation.

An update to this hint is coming up. I don't wanna say too much so far, but yes any app can just "programatically" add rules to LittleSnitch with little chances you know about it! Being easy to use is no excuse to a huge lack of security, actually I think it should be the opposite. If you don't know how to use ipfw and such, you probably don't realize how unsure LittleSnitch is, but it remains so!

why not use ARD or Timbuktu or even a VNC app. I connect remotely to my machine via ssh and on a few ocations i've ran into this situation as well and to allow connections i've just connected via ARD. Works pretty good.

Sometimes you just can't. Say I'm at school, the ssh connections is extremely unreliable (passes through the https proxy), creating a tunnel is almost impossible. Plus it's a whole lot easier for the teacher to see I'm messing around if he sees a mac desktop than just random text in a console when we're using the console all the time during class ;)

This was originaly posted as a hint a few days ago but never got published so I'm putting it up here. I believe it is important that the LittleSnitch users be warned about this.

I decided my original technic was not enough and came up with a php shell script to manage the LittleSnitch daemon via the terminal.
This is how SnitchCTL was born. It allows to start, stop and restart the daemon as well as use the
UI Script to allow or deny a connection. It also allows to add basic allow/deny all rules to the configuration. The script is available
here. I have also set up a page for the script.
The source is available from the site.

Disclaimer :
This script has been tested with Mac OS 10.4.2 and LittleSnitch builds 212 (1.2b3), 218 (1.2b5), 226 (1.2).
Tests have shown that running this script under 10.3.9 is bad idea! Running this script poses a potential security risk!
This script is provided "as is", I am not responsible of any damages that could occur from using it.
If you use it, you assume what you do it with and what ever happens to you!

SnitchCTL build 006: A CLI interface to LittleSnitch.
This script must be run as root or using sudo!
Usage: ./snitchctl [option1] [[option2] [option3]] {delay}
-------------------------------------------------------------
Options:
start Starts LittleSnitch daemon
stop Stops LittleSnitch daemon
restart Restarts LittleSnitch daemon
status Shows LittleSnitch's status
addrule Allows to add a rule to the LittleSnitch configuration
This only works to allow or deny all connections
usage: ./snitchctl addrule [deny/allow] [path to application]
allow Allow via the GUI until the application quits on same port
allowa Allow via the GUI until the application quits for any connection
deny Denies via the GUI until the application quits on any connection
delay Used only with the three options above, allows to set a delay, in seconds,
before the LittleSnitch alert window is dismissed (see below for usage)
delay is optional
-------------------------------------------------------------
There are two methods for using the allow, allowa and deny options:
First is to use a second terminal window or ssh session, the second is by doing something like
$ curl apple.com & ./snitchctl allow 5

While creating this script I discovered that LittleSnitch was really not as secured as it should/appears to be.
Fracai has posted a great warning call on the LittleSnitch mailinglist. Here's a snippet:

LittleSnitch is not currently secure.
"killall LittleSnitchDaemon" will allow any app to "phone home" without being detected by LittleSnitch
Properly securing LittleSnitch would involve running the daemon and all LittleSnitch components as the root user or as an independent LittleSnitch user.
[...]
The main point to take away from this is that as it is currently implemented, LittleSnitch is not secure.
A malicious app need not sneak new rules in to the configuration when the communication block is not effective.

Yes you've read that properly. The LittleSnitch daemon runs in user space! This means any malicious application can stop the daemon, sent the data and then start the daemon back up with very little change that the user ever knows about it! LittleSnitch doesn't output to the system/console log so there is no logs of what's been going on.

I suggest you read the site I've put up and the mailing list post by Fracai if you want to know more about this issue. I have also created a thread in the forums if you have any questions or comments.

"SH.Renepo.B is a data-collecting script virus that only runs on Mac OS X systems.
[...] When the virus is executed, it does the following: [...]
15. Looks for LittleSnitch software (a shareware Firewall program with application control) and tries to terminate the process, when LittleSnitch attempts to perform network access."

So I decided to search around a bit more to see what I could find.
These are my findings. They are not exactly structured, but a lot of information can be found on these sites.